lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 02 Sep 2011 17:46:15 -0400
From: Valdis.Kletnieks@...edu
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
	DLL Hijacking

On Fri, 02 Sep 2011 20:55:35 -0000, "Thor (Hammer of God)" said:

> LOL.  "Warning, if you get the user to execute code, then it is possible to
> get the user to execute code!!  All you have to do is get files on their
> system, and then get them to execute those files!   Note that once you get the
> user to execute the code, it will actually run in the context of that user!!
> This is remote code execution vulnerability!"

> Welcome to today's Infosec!

The sad part is that this is the future of infosec as well.  Microsoft got the
security religion a few years back, and even I have to admit their current stuff
isn't that bad at all.  The various Linux distros are (slowly) getting their
acts together, and maybe even Apple and Adobe will see the light sometime
reasonably soon. Yes, there will still be software failures - but once the effort
of finding a new 0-day reaches a certain point, the economics change....

And once that happens, social engineering will become an even bigger part of
both the attack and defense sides of infosec.  For the black hats, the cost/
benefit of looking for effective 0-day holes will continue to drop, while the
cost/benefit of phishing a user will remain steady - so that's a push towards
more social engineering. Why go to the effort of spending 3 months finding a
browser bug that allows you to push malware to the victim's machine, when you
can just spend 45 minutes creating a "Your machine is infected - click here to
fix it" pop-up that will catch 80% of the people?

Meanwhile, as the software gets more hardened and patching is more automated,
the white hats will find a bigger percent of their time is spent defending
their systems from attacks triggered by their own users.  Because the failure
rate of people's brains is already about 4.7*10**9 times as high as the
software failure rate, and the ratio is only getting worse - software is
improving, people aren't.

Prediction 1: 10 years from now, organized crime will be hiring cognitive
psychologists to help design more effective phish the way they currently hire
programmers to write better spambots.

Prediction 2: It ain't gonna get better till the average IQ starts going up faster
than the software improves.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ